On Thu, Dec 04, 2014 at 03:56:53AM -0500, Laine Stump wrote:
On 12/03/2014 12:02 PM, Daniel P. Berrange wrote:
> On Tue, Dec 02, 2014 at 12:08:30PM -0500, Laine Stump wrote:
>> (Everyone - see the request for opinions/ideas towards the bottom)
>>
>> The idea behind these patches is the following:
>>
>> 1) most virtual machines only have a single MAC address behind each
>> interface, and that MAC address is known by libvirt.
>>
>> 2) If we (i.e. libvirt) manually add an entry to the bridge's
>> forwarding database (fdb) for the MAC address associated with a port
>> on the bridge, we can turn off learning and unicast_flooding for that
>> port.
>>
>> 3) kernels starting with 3.15 (and actually working correctly starting
>> in kernel 3.17) will notice that all of a bridge's ports have flood
>> and learning turned off, and in that case will turn off promiscuous
>> mode on all ports. If all but one of the ports have flood/learning
>> turned off, then promiscuous will be turned off on that port (and left
>> on for all the other ports)
>>
>> 4) When (4) can be done, there is a measurable performance
>> advantage. It can also *kind of* help security, as it will prevent a
>> guest from doing anything useful if it changes its MAC address (but
>> won't prevent the guest from *sending* packets with a spoofed MAC
>> address).
>>
>> NB: These only work with a fixed MAC address, and no vlan tags set in
>> the guest. Support for both of those will be coming.
> So just to be clear on the functional differences between the
> impls
>
> With the current impl
>
> 1. The bridge has a table mapping MAC <-> TAP devices
> which is initially empty
> 2. Whenever a TAP device sends a packet, it causes an
> entry to be added to the MAC <-> TAP table
> 3. When the bridge needs to forward a packet with a MAC
> - If MAC is unknown, it is sent to all TAP devices
> - Else it is send to the specific TAP device
> 4. The physical device is always promiscuous to see all
> traffic on the LAN
>
> An result of point 2, is that if the guest changes its
> MAC address on the fly, it merely needs to send a packet
> and the bridge will learn its new MAC address. That said
> our firewall rules can potentially block this dynamic
> change.
>
>
> With the new impl
>
> 1. The bridge has a table mapping MAC <-> TAP devices
> which is initially empty
> 2. Libvirt tells the bridge what MAC address is associated
> with each TAP device added
> 3. The bridge always forwards the packets to the correct
> TAP device
> 4. The physical device is never promiscuous, it is
> programmed with MACs of all TAP devices
>
> In both cases the guest can send packets with spoofed
> MAC addresses. In the old code these packets would make
> it onto the LAN and it can receive replies back. In the
> new code these packets would make it onto the LAN but
> it will never receive replies back.
>
>
> At a high level the conceptual difference is whether the table
> of MAC addresses & TAP devices is statically defined by libvirt
> or dynamically defined on the fly.
>
>> HERE IS THE REQUEST FOR OPINIONS/IDEAS:
>>
>> This V2 of the patchset addresses several issues brought up by jferlan
>> on the original series, and changes the name of the attribute from:
>>
>> promiscLinks='yes|no'
>>
>> to
>>
>> fdb='learningWithFlood|managed'
>>
>> I'm somewhat more happy with this new naming than the previous but
>> still looking for better ideas. It is closer to describing what the
>> new code really does, but "learningWithFlood" seems a bit long and
>> awkward, while I have been told that "fdb" is too short and
>> unrecognizeable (I will point out that 1) "fdb" is the same name used
>> by iproute2's "bridge" command, and 2) another bridge option,
"stp" is
>> also a three letter acronym that will only be recognized by those
>> familiar with configuring an L2 bridge device or watching NASCAR on
>> Saturday afternoons (or whenever it's on - not a fan myself :-))
> One thing to remember is that libvirt is supposed to be providing a
> higher level configuration language that is independant of specific
> implementations. 'fdb' is terminology specific to the Linux
> bridge implementation, so I don't think that's appropriate to use
> in the XML configuration.
Good point. I'd been seeing this as a generic term, but I guess it isn't.
> There is a user visible change in behaviour because this new solution,
> as implemented in this patch series, will no longer allow a guest to
> change its MAC address on the fly.
>
> Of course if QEMU can provide a notification to libvirt when the guest
> changes its MAC address, then libvirt can update the MAC table and so
> re-gain functional equivalance with the old solution. I think we would
> want to be able to turn that on or off though.
For macvtap interfaces, we can already do that using
trustGuestRxFilters='yes' (a name I don't really like in a location I
don't really like (attribute of toplevel <interface> element), but
couldn't come up with anything better and didn't get any other
suggestions at the time). This has been in libvirt since last month's
release. My thought was that if trustGuestRxFilters is yes and the
interface is on a bridge, we can then honor any changes to mac address.
(This is where my dislike of my own choice for name of that option comes
in - I can now see a need to allow the guest to change its vlan table or
multicast table and honor those changes, while not allowing it to change
its MAC address, or vice versa; it probably would have been better to
add a new element called <rxFilter> or something, and have a separate
attribute for trusting each piece. It has now been in one release,
though, so I guess we're stuck with it.)
>
> This all leads me to suggest that we should use the following syntax
> that is indepedant of the particular implementation choice, and instead
> represents the logical behaviour of the feature.
>
> macTable=static|dynamic
>
> The mode of 'static' means that the MAC address table will always
> match MACs recorded in libvirt guest XML. This is the new mode
> that your patches implement
>
> The mode of 'dynamic' means that the MAC address table will be
> able to dynamically update itself as the guest changes MAC addresses.
> In the near term, this will use the traditional bridge learning
> mode. In the long term, if we can get MAC change notifications from
> QEMU, we can switch this over to use the new bridge features.
I do think that eventually libvirt should make self-management of the
mac table the default, but even then I think we need to retain the
ability to disable it and let the kernel do as it may, just in case
there are compatibility problems if for no other reason.
Also, I think that enabling/disabling guest-initiated MAC address
changes should be possible at the per-interface level, not (just)
per-network. This can be done with the above-mentioned
trustGuestRxFilters attribute (which can be set in a single interface,
or for a network or network portgroup).
So I like naming the attribute "macTable", as that is more generic, but
I'm not sure about the values "static" and "dynamic", because
"dynamic"
could describe two different things (dynamically changed by the kernel
via learning and flood, or dynamically changed via libvirt being an
omniscient hypervisor god that knows what to plug into the table), and
"static" is something that can already be described via setting
trustGuestRxFilters='no' combined with a "let libvirt control the mac
table" option.
Maybe the problem is that you're providing a good name based entirely on
the differences in behavior the guests can see, but what I'm looking for
is a way to control how that behavior is provided, so more of a backend
thing. (Note that if the "backend" is the bridge module, "static"
isn't
possible now and never will be, while if the backend is explicit
management by libvirt, then "dynamic" isn't currently available, but
will be in the future).
So perhaps more along the lines of macTableManager="kernel|libvirt"
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|